Once more, LJ valid_to timespan.

Carl Howells chowells at janrain.com
Fri Jul 1 09:54:03 PDT 2005

Once again, I'd like to bring up LJ's openid server's return valid_to. 
It's still set only one minute in the future.  I believe that shows a 
misunderstanding of the spec, and should be corrected.

As I understand the spec (and others have agreed with my 
interpretation), the valid_to date is NOT how long the user and consumer 
have to complete the login process.  Rather, it's how long the server is 
allowing the user to stay logged in to the consumer site.

Having the valid_to time set at only one minute into the future is 
awful.  It requires all spec-compliant consumers to re-authorize the 
user every minute.  This is really strange behavior on the part of an 
openid server, as it guarantees that it will constantly be hammered with 
checkid_* requests from consumers that have followed the spec.

Please up this to a more useful value.  An hour seems like the absolute 
minimum useful time.  A day sounds like a reasonable choice at the low 
end.  A week doesn't seem unreasonably long.

I know we're not the only ones who've run into this and thought it's a 
very strange decision.


More information about the yadis mailing list